Wednesday 6 October 2010

LDAP Bind Account Requirements


Some organizations may wish to use a specific user account(other than the administrator) for the Bind process, it is important to ensure that the Bind DN account has the correct level of permissions on the LDAP directory.



When creating an application in deepnet where you can import users from a LDAP server, a user account must be defined for connecting to the LDAP directory. This account is known as the Bind Distinguished Name (DN) and the process of connecting to the LDAP directory is known as Binding. In theory, this account can be just a simple authenticated user who has permissions all over the place to read(by default). During the Bind process, the Bind DN account is used to search for the user account that is attempting to authenticate to Deepnet Authentication Server. The Bind DN must also be configured with the account’s correct password or Bind DN Password.



In the example below, a Bind DN account named CN=ed binden,CN=users,DC=nanoart,DC=local will be used to connect to a LDAP directory’s Base DN of DC=nanoart, DC=local.




At a minimum, the Bind DN account must have:

    • Read access to the user objects in the LDAP directory in order to search for user accounts

    • Read access to the Base DN (for example, DC=nanoart, DC=local) with the correct attribute that is used as the LDAP Login Name
    (for example, samAccountName)


Generally, we use ADSI Edit to check the security




In order to do Group Extraction, which is the process of determining a user’s group membership and returning those values to Deepnet Authentication Server, the Bind DN account must also have:

    • Read access to the group attributes in the LDAP directory

In order to support password expiration during authentication, the Bind DN account must also have:
    • Read access to the PwdLastSet, UserAccountControl, and msDS-User-Account-Control-Computed attributes in the LDAP directory

In order to use an alternative Single Sign On attribute (SSO Name Attribute), such as UPN format, the Bind DN account must also have:
    • Read access to the particular SSO Name Attribute of interest in the LDAP directory


Finally, I'd like to point out, you can even configure Active Directory to allow anonymous queries, you may have a look at Q320528 and Anonymous LDAP operations in Windows 2003 AD.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)